reeradius + Cisco Anyconnect group policy Greetings, I recently just deployed a freeradius server to authenticate our Cisco Anyconnect VPN users against pam/google's OTP. My configs are in place and everything is working fine however recently we've taken on a few contractors that I would like to restrict to a specific tunnel-group/split-tunnel. I dont mind creating SSH accounts for them just as long as they have the correct split-tunnel/group policy assigned. Currently my test user can log into both tunnel-groups. Currently in users.conf my auth default type is "DEFAULT Auth-Type := PAM" Can this be done via /etc/group + pam or do I need to add these users to users.conf and then apply the attributes "ASA-Group-Policy" and "ASA-IPsec-Split-Tunnel-List" to them? Should I see the policy/tunnel-group name being sent from my ASA to my radius server? This is currently what I see via raddb -XXX when I connect using either tunnel-group. Received Accounting-Request Id 174 from x.x.x.x:1026 to x.x.x.x:1813 length 135 User-Name = 'username' NAS-Port = 122380288 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = x.x.x.x Called-Station-Id = 'x.x.x.x' Calling-Station-Id = 'x.x.x.x' Acct-Status-Type = Start Acct-Delay-Time = 2 Acct-Session-Id = 'B5F00188' Acct-Authentic = RADIUS NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = 'x.x.x.x' NAS-IP-Address = x.x.x.x Does anyone currently have this implemented or a sample config I can review, or am I going about it in the wrong way? radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu, built on Mar 5 2015 at 23:41:36